COUNTY OF FAIRFAX, VIRGINIA OFFICE OF FINANCIAL AND
PROGRAM AUDIT
FAIRFAX COUNTY BOARD OF SUPERVISORS AUDITOR OF THE BOARD
www.fairfaxcounty.gov/boardauditor
March 2017 Quarterly Report
1 | P a g e
2 | P a g e
Table of Contents
PENSION PLANS REVIEW (FOLLOW-UP) ............................................................................ 3
CONSULTANTS / CONTRACTORS STAFF REVIEW ............................................................. 14
STAFF INITIATED TRAINING REVIEW .............................................................................. 21
TIME AND ATTENDANCE REVIEW ................................................................................... 28
APPENDICES .................................................................................................................. 31
LIST OF ACRONYMS ....................................................................................................... 34
3 | P a g e
PENSION PLAN REVIEW (FOLLOW-UP)
OBSERVATIONS AND ACTION PLAN
BACKGROUND
The purpose of this study was to review the pension funds which serves as a secure source of
retirement income. The Total Assets for the three retirement plans for fiscal year (FY) 2016 were
~$6.5B. The FY 2016 employer contribution for each of the three retirement systems was
~$261M. The prior quarter’s review included assessing controls over fees put forth by fund
managers, the inclusion of these fees in relevant documents and the reconciliation support
(Transaction, Asset and Accrual, General Ledger Detail Reports, and etc.) provided by BNY
Mellon Bank. The periods of review were FY 2015 and FY 2016. As requested by the Audit
Committee, The Office of Financial and Program Audit (OFPA) worked with the Retirement
Administration Agency (RAA) to develop a scope and work plan to assist in performing the
review. The results of this study may not highlight all of the risks/exposures, process gaps,
revenue enhancements and/or expense reductions which could exist in the area. Items reported
are those which could be assessed within the scheduled timeframe and scope.
SCOPE AND METHODOLOGY
The scope of this study included, but not limited to; assessing contract compliance between Fairfax
County Government, External Fund Managers, and the custodian bank (BNY Mellon). This included
an assessment and review of service delivery by the above mentioned vendors. Additionally, as
requested by the Audit Committee, we performed an assessment of the system of internal controls
employed by Fairfax County. We also performed an assessment of how RAA tracks and monitors
fund managers’ contract compliance. This process was facilitated through substantive tests of
supporting documentation and the respective contracts. As part of this review we liaised with the
Office of the County Attorney to confirm their participation in the review of the external counsel’s
candidacy. As per conversations with RAA, the hiring process of the RAA counsel has been
relegated to the Office of the County Attorney. Lastly, included in this study was an analysis of
the miscellaneous and management fees. This follow up review was a more in-depth analysis of
the controls over the source documentation; e.g. the reconciliation support (Transaction, Asset and
Accrual, General Ledger Detail Reports, and etc.) provided by BNY Mellon Bank. The periods of
this review were FY 2015 thru EY 2016. We performed this study on a sample basis. Staff
reviewed and made recommendations where applicable.
Retirement benefits for employees of Fairfax County (the County) are provided through three
separate defined benefit public retirement systems, they are:
1. Employees' Retirement System: For County employees not served by the other two systems and
Schools employees not served by the Virginia Retirement System and the Fairfax County
Educational Employees Supplementary Retirement System.
2. Uniformed Retirement System: Fire and Rescue personnel, Uniformed Sheriff employees,
Helicopter Pilots, and certain staff in Public Safety Communications.
4 | P a g e
3. Police Officers Retirement System: Sworn Police Officers.
Three separate Boards of Trustees are responsible for carrying out the provisions of each of the
three pension plans (plans) as established by County ordinance. This includes establishing the
investment administration, objectives, strategies, policies, and investing assets for their respective
plans.
Under the direction of the Boards of Trustees, the RAA is responsible for the day-to-day functions
of the Plans. RAA staff implements the strategies and policies established by the Boards and
ensure timely delivery of member services and benefits. RAA staff oversees investment
management firms employed by each of the three Boards and ensures adherence to the plans’
executed contracts.
Pension Plan Funding
The plans receive funding through:
• Employee contributions based on a fixed percentage of pay.
• Employer (County) contributions based on a variable percentage of employee pay as
determined by actuarial analyses.
• Returns on plan investments.
The County’s Board of Supervisors approves the employer contribution rates as part of the annual
budget process. Annual actuarial analyses are conducted for each plan and actuarial experience
studies are performed every five years. For each analysis evaluations are made on rate of return
for the investments of the plans. The required annual contribution rate is determined by other
financial and demographic factors of the County.
For FY 2016, the Police Retirement System increased by 0.9%; the fund for general County
employees declined by 0.4%; and the Uniformed Retirement System was down by 0.9%. As a
result, pension contributions by the County disbursed from the general fund budget were higher
than prior years. These funds were utilized to meet the retirement plan obligations. Over the
past two years, performance of the three retirement systems was below the 7.25% target.
Performance at these levels increases the net pension liability for the County.
Schedule of Net Pension Liability (3 Retirement Plans)
Retirement Plans Plan Fiduciary Net Position %age (2016)
Employees Retirement System 70.2%
Police Officers Retirement System 81.4%
Uniform Retirement System 77.2%
Investment Responsibility
RAA Investment Plans are monitored and overseen by each Plan’s Board of Trustees. The Trustees
rely on RAA for strategic advice, implementation and management/oversight of the contracted
investment managers. Included in the plan contracts and memorandums are Investment Policies.
These Policies detail investment objectives, guidelines and performance standards. RAA staff
oversees the contracted investment managers’ performance.
5 | P a g e
RAA staff does not perform direct buy/sell investment activity. There are 85 contracted
investment managers across the three Systems. Of these 85 investment managers, 22 serve more
than one Plan and six serve all three. Approximately 65% of RAA accounts are commingled funds
and 35% are separate accounts. Lists of Fund Managers are provided in Appendices A, B, and C.
RAA staff has procured a consulting firm (Judge Consult Inc.) to perform operational due diligence
on Fund Managers prior to them being on-boarded. This practice commenced approximately two
years ago. RAA is currently in the process of performing a look-back on Fund Managers on-
boarded prior to the implementation of this practice.
The County contracts with the firm (Cherry Bekaert LLP) to conduct annual financial audits and
related disclosures reported in the Retirement System Comprehensive Annual Financial Report
(CAFR). KPMG LLP was the County’s accounting firm until FY 2015. At the conclusion of the
annual financial audit, Cherry Bekaert LLP provides the County with an opinion as to the
assurance of the accuracy of the statements. Including, whether or not the statements were
reported in compliance with Generally Accepted Accounting Principles (GAAP) in all material
respects. OFPA relied on the information reported in the CAFRs of the Retirement Systems for our
study.
Our audit approach included interviewing; internal staff, custodian and external fund contacts.
Also to facilitate the review process, OFPA observed employees' work functions, performed
detailed transaction testing, and evaluated the processes holistically for compliance with internal
controls, regulations, and departmental policies and procedures.
OFPA conducted a data-driven risk assessment tailored to the County’s operating environment
related to the review of pension plans. OFPA also reviewed the departmental procedures to
ensure the processes employed were holistic and complete.
OBJECTIVES AND RESULTS
Business Objectives Study Assessment
Investment Target Performance on RAA Systems Over 20-year Horizon Satisfactory
Errors and Omissions Professional Liability Insurance Maintained Satisfactory
Oversight of Fund Manager Fees Needs Improvement
Review of Contracts by External/Internal Counsel Needs Improvement
Completeness of BNY Mellon Transaction Detail Reports Needs Improvement
Control Summary
Good Controls Weak Controls
Investment Performance targets of
(7.5%) were achieved for all three
plans over a 20-year horizon as of FY
2015.
Updated copies of Professional
Liability Insurance maintained by RAA
Sole reliance is on service providers to
compile expenses for the commingled
funds.
6 | P a g e
Control Summary
Good Controls Weak Controls
which is a compliance standard for the
contract.
The full repository of fund contracts
have not been reviewed by
internal/external counsel.
Transaction Detail Reports provided by
BNY Mellon are incomplete.
Aggregate information is provided by
the managers of the commingled funds.
This process limits the ability of either
BNY Mellon or RAA to vouch /verify
the accuracy of the related
transactions.
OBSERVATION(S) AND ACTION PLAN(S)
The following table(s) detail observation(s) and recommendation(s) from this study along with
management’s action plan(s) to address these issue(s).
7 | P a g e
Fairfax County
Office of Financial and Program Audit
Oversight of Fund Manager Fees
Risk Ranking MEDIUM
As reported in a prior quarter’s study, OFPA observed some plan expenses were compiled and remitted
by the managers of the commingled funds without complete source documentation. Substantive testing
also revealed a majority of these fund expenses were netted against the performance of the funds.
These back-office processes were performed by the investment manager without intervention/oversight
by RAA management or BNY Mellon. As part of an after-event process, BNY Mellon forwards a
reconciliation package to RAA. As a reasonableness test, RAA reviews and vouches aggregate data.
This process reduces staff ability to assess the reasonableness of the fund expenses submitted by each
manager of the commingled funds. Expense support is not provided with this package. As per OFPA’s
interview with a BNY Mellon representative, no review of these expenses are performed by their staff.
Therefore, sole reliance is on the managers of the respective commingled funds to record accurate
expense and income items. The independent third party service providers for the funds also participate
in the review and validation of the expenses and income for the funds.
All fund managers’ performances are evaluated based on their portfolios’ returns net of fees. For managers which RAA has separate accounts, Senior Investment Officers review the monthly/quarterly statements for accuracy (including fees charged). For commingled funds, RAA does not have visibility for all fees at a transactional level. Commingled funds are assets from several accounts that are blended together. RAA receives annual financial statements for these commingled funds. Reliance is on the funds’ auditors, custodial banks, third-party administrators, and directors/trustees for determining the accuracy of fees and other data. Audited financial statements for management companies/general partners that are privately owned entities are not available.
As visibility to source data and subsidiary ledgers which support the Audited Financial Statements of the funds of the Retirement System would be beneficial to the review process by RAA, consideration should be given to updating the contract language to include a “Right-to-Audit” clause.
RAA has undergone a reorganization whereby an existing position has been converted into an Investment Operations Manager. Onboarding for this position has already taken place. The Investment Operations Manager’s responsibilities include (but not limited to) improving on RAA’s accounting and record keeping practices, and obtaining/retaining custodial bank source documentation.
Of the 85 investment managers, we selected 15 to perform substantive testing on the plan expenses.
We obtained the expense support (source documentation, compilation and methodology) for plan
expenses submitted by the respective funds to RAA. The results of the substantive testing are as follows:
7 fund managers reported accurate fee assessments as per the contract.
8 fund managers’ plan expenses were netted against dividends from the (sale of investments,
redeemed shares, and/or realized returns). Complete supporting documentation was not
provided to the County Retirement staff. There was no transparency for these transactions. Sole
8 | P a g e
reliance is on the respective managers and independent third party service providers for the
commingled funds, to ensure the accuracy of these transactions.
Recommendation
OFPA recommends RAA request that the managers of commingled funds remit all supporting
documentation for assessed fund expenses. This information should be maintained in a repository in
accordance with the County’s record retention policy. As a review of all these expenses would not be
manageable or feasible at the current staff level, we also recommend that validation is performed on a
sample basis. Requiring that these documents be submitted and maintained would provide RAA staff
with the needed information to facilitate the recommended review. It would also give the fund manager
the perception that oversight is being performed and that RAA is validating the fund expenses.
OFPA also recommends that consideration is given to having RAA staff work with the procured external
counsel (when on-boarded) to draft and include in all Fund Managers’ contract a provision for a “Right-to-
Audit” clause. A Right-to-Audit clause would provide visibility to source data and subsidiary ledgers
which support the Audited Financial Statements of the funds of the Retirement Systems. This would be
beneficial to the review process by RAA.
Action Plan
Point of Contact Target Implementation Date Email Address
Jeffrey Weiler
1st July 2019
MANAGEMENT RESPONSE:
Commingled funds have an external administrator (who values their positions and calculates their
performance), independent Board of Directors, external legal counsel and external auditor (which
produces annual financial statements detailing assets under management, fees, expenses, performance,
etc.).
Prior to the recommendations made by OFPA, RAA contacted all fund managers and requested a detailed
breakdown of fees by month for each fund and that they provide additional ongoing transparency regarding
fees and expenses.
RAA will enhance the existing fee based reconciliation process to include a more complex analysis of
commingled fund fees through the use of software and / or applications designed to forecast expected charges
based on fund data. We will ask that all fund managers deliver the data required for such analysis in a
systematic way and with as much transparency as their infrastructure will allow. RAA will review forecasted
charges against actual charges and address and remedy variances as soon as they are discovered. RAA will also
review existing documentation of contractual charges for all fund managers in order to properly structure a
9 | P a g e
forecast model for analysis. Based on the efforts already taken in this endeavor, RAA will execute the enhanced
fee reconciliation for all funds July 1, 2018. RAA anticipates milestones every six months, beginning with
systematic data delivery from fund managers coinciding with internal infrastructure design and deployment.
There will be continuous validation on a sample basis until all funds have been integrated into the new process,
and ultimately, the July 1st, 2019 deployment of the enhancement.
Separately, Staff is exploring working with an external consultant to conduct a thorough analysis annually of a
handful of commingled funds’ audited financial statements. The goal would be to confirm management and
incentive fees paid by the fund to the general partner, monitor the level of assets that the general partner
redeems from the fund (if any), monitor the level of assets of the limited partnership itself, calculate fund
expense ratios (on a best efforts basis), monitor instrument liquidity and monitor potential strategic
investments made by the fund.
10 | P a g e
Fairfax County
Office of Financial and Program Audit
Review of Contracts by External/Internal Counsel
Risk Ranking MEDIUM
Offering documents and agreements for RAA’s Plan Funds contain important information regarding
investing in the fund, investment strategies, investment guidance, domestic versus international,
investment risks, fees/expenses, and fund managers’ conflicts of interest. A fund may also be invested
in derivatives (such as options and futures) and use short-selling (selling a security it does not own) to
increase its potential returns. This could likewise increase the potential gain or loss from an
investment. As these investment strategies require increased oversight, review and sign-off of contract
language is important to protect the interest of the County. The Office of the County Attorney worked
with RAA in regard to creating an RFP for external counsel to review investment contracts. This
decision was based on the assertion that reviews of this type require specialized expertise. The Office
of the County Attorney does not employ counsel with this type of legal expertise. The RAA concurs
with the approach whereby an RFP which includes the specifications reflected in the investment
counsel services contract awarded to the Virginia Retirement System (VRS). As there is benefit to
having external counsel review and sign-off on contract language prior to an agency entering into
contracts, this process has not been performed holistically for the RAA agency over the past several
years.
Secondly, it would be beneficial to have external counsel assist RAA in evaluating conflicts of interest
disclosures completed by all fund managers. This review would allow RAA staff and external counsel to
evaluate exposure related the disclosure of proprietary information. Consideration should also be
given to the inclusion of contract language related to indemnification, confidentiality, and jurisdiction.
The development of parameters by which this language should be drafted to address the concerns of
any exposure related to these business risks for inclusion in the updated contracts would enhance the
system of controls related to the management of RAA funds. This process would assist RAA
management in assessing any related risk and/or current infractions. If these disclosures do not exist
in the current contracts, we recommend that consideration is given to having them updated to reflect
this change.
Recommendation
Aligned with the observation above, OFPA recommends the that following endeavors are undertaken by the
County Attorney’s Office and RAA;
RAA should liaise with the procured external counsel (when on-boarded) to develop a process whereby
reviews of fund manager contracts are performed for future and existing contracts.
11 | P a g e
RAA should liaise with the procured external counsel (when on-boarded) to develop a process whereby
all fund managers’ completed conflicts of interest disclosures are reviewed. Included in this process, we
also recommend that consideration is given to the inclusion of contract language related to
indemnification, confidentiality, and jurisdiction. RAA staff and the County’s counsel is in the process of
developing parameters by which this language should be drafted to address the concerns of any
exposure related to these business risks.
Action Plan
Point of Contact Target Implementation Date Email Address
Jeffrey Weiler
Gail Langham
Benjamin Jacewicz
31st December 2017
MANAGEMENT RESPONSE:
RAA’s design of a complete and comprehensive strategic partnership risk mitigation process is underway.
Legal review of new and existing contracts is a critical step in the on-boarding of fund managers as well as the
review of those already utilized. RAA concurs with OFPA’s recommendation and assessment and will work
with the County Attorney’s Office to procure external counsel by the calendar year end 2017, if not sooner.
Once procured, RAA and legal counsel will build a thorough and comprehensive process of legal structure
analysis, indemnification and all pertinent fiduciary constructs for investing with care.
12 | P a g e
Fairfax County
Office of Financial and Program Audit
BNY Mellon Transaction Report that Details Transactions by Category
Risk Ranking LOW
Our review of BNY Mellon’s Transaction Report revealed incomplete transaction detail. Included in the report
submitted to RAA is summarized transaction information by category. This report should include all transaction
details for Fund Manager activity. These summary activities are compiled based on; dividend income, interest
income, proceeds from sales of investments, investment management and other plan fees, stock loan income, and
etc. We worked with a BNY Mellon representative to understand the discrepancies identified in this report. Our
contact could not explain or reconcile the differences. RAA staff were advised of this issue, they are actively
working with the custodian bank to reconcile these issues on a going forward basis.
We also observed that Investment Manager fees did not populate in the BNY Mellon Transaction Detail Report for
eight of the Fund Managers. Expenses were netted against dividends from the (sale of investments, redeemed
shares, and/or realized returns). Complete supporting documentation was not provided to the County Retirement
staff. In many instances only the Net Asset Value of investments held at the custodian bank populated in the
reports. As limited transparency related to these transactions are provided, sole reliance is on the respective
managers and independent third party service providers of the commingled funds to ensure the accuracy of these
transactions.
Recommendation
OFPA recommends RAA endeavor to work with the Custodian to reconcile BNY Mellon’s month-end reconciliation to
the respective expensed management fees utilizing the requested support discussed in the recommendation above.
Consideration should be given to reconcile the differences and develop procedures to identify process gaps for
one-time fixes. This information should be utilized to improve the accuracy of reporting going forward.
Action Plan
Point of Contact Target Implementation Date Email Address
Jeffrey Weiler
1st July 2018
MANAGEMENT RESPONSE:
RAA worked with Mellon to determine the extent to which they could provide further detail in the transaction
report extracted from the Workbench application the custodian provides. Because the custodian’s purpose is to
custody assets and not to formulate any kind of investment calculation, Mellon must rely on the data submitted
from fund managers. Most of the funds held by RAA are commingled funds, of which RAA is only a percentage
owner. Because of this, fund managers report to Mellon only that which relates to RAA’s accounts, and portion
of the total investment, in the form of summary activity. Commingled funds do not transact on an investor
level, but instead, on the fund level. Therefore, summary is all Mellon is able to post to Workbench, and all that
13 | P a g e
is extracted and utilized in RAA’s reconciliation processes. The summary is RAA’s portion of the NAV (Net Asset
Value) of the fund and is always net of fees. Reconciliations are performed by both Mellon and RAA, in order to
highlight differences in NAV and to report fund performance to the Boards. Material differences and a detailed
breakdown of the cause of the difference is done by Mellon through their reconciliation process between
themselves and the fund managers, a report of which is given to RAA.
As such, Mellon is unable to post more transaction detail unless provided by the fund managers. RAA will
survey the fund manager’s capability and continue to work with Mellon to post any additional details that could
be provided.
RAA has already instructed Mellon how to change the way they are posting certain items like share redemptions
that reflect the payment of management fees. RAA will request that Mellon modify existing methods of
transaction posting (to the best of their ability) and will supplement the custodian’s reports with additional
detail, when possible. RAA will also continue to monitor and reconcile the custodian and fund manager data
and action variances, with a target date of July 1st, 2018 for more robust and prolific reporting by the custodian
and reconciliation process by RAA.
14 | P a g e
CONSULTANTS / CONTRACTORS STAFF REVIEW
OBSERVATIONS AND ACTION PLAN
BACKGROUND
The purpose of this review was to assess the nature, extent, allowability, and reasonableness of
consulting and contractor costs to the County. For the purpose of this study,
consultants/contractors were defined as persons who are members of a particular profession or
possess a special skill and who were not officers or employees of the County. The study included
consultant costs charged directly to contracts, and those charged through indirect pools such as;
overhead and administrative expenses.
This study was conducted as Phase III of an ongoing process whereby we initially worked with
selected agencies/departments. Two agencies/departments were selected for review this period,
they were; Department of Cable and Consumer Services (DCCS) and the Office of Emergency
Management (OEM). The results of this study may not highlight all of the risks/exposures, process
gaps, revenue enhancements and/or expense reductions which could exist in the area. Items
reported are those which could be assessed within the scheduled timeframe and scope.
Included in the Fairfax County Code are; the terms and conditions for constructing, standards for cable television operations, and the County's authority to administer the fulfillment of the franchise requirements. The Fairfax County Code was revised in January 2001 to include provisions that better promote cable system competition in Fairfax County and improve customer service standards enforcement.
SCOPE AND METHODOLOGY
The goal of this study was to assess staffing levels, assignments, hiring practices for
consultants/contractors. During the execution of the work plan for this study, we realized that no
repository existed whereby a complete list of consultants was detailed. Information related to the
employees sampled was limited to the timeframe for which FOCUS was implemented. These
anomalies resulted in OFPA staff restructuring the method by which we evaluated the processes
and controls utilized to practice direct oversight with respect to the above mentioned attributes.
Given the instances above, OFPA staff did; vouch vendor billings, validated the related support
provided before disbursements, the procurement process for consultants/contractors, system
access for consultants/contractors, background validation, onboarding for consultants/contractors,
contract compliance and service delivery, a review of the disbursement register to validate that
remittances were made to only approved vendors (including taking discounts and timely
payments), and other related attributes.
Our audit approach included interviewing appropriate staff, reviewing consultant work functions,
substantive transaction testing, and evaluating the processes for compliance with sound internal
controls, regulations, and departmental policies and procedures. OFPA staff conducted a data-
driven risk assessment tailored to the County’s operating environment related to the
15 | P a g e
consultants/contractors review. OFPA staff also reviewed the agencies/departments procedures
to ensure the process employed was holistic and complete.
Lastly, with the assistance of DPMM and FBSG, OFPA was provided access to Spikes Cavell (The
Observatory). This software is a modular suite of data-driven online tools that have been
designed to meet the unique requirements of the public sector delivered as a cloud based service.
OFPA utilized this tool to extract the total population of contractors procured by the County to
select a sample for substantive testing. The selected sample was also utilized to extract a test
group of consultants (staff augmentation) for the above mentioned attributes.
Oversight of the County’s consultants/contractors is decentralized as the management, cost
reconciliation and hiring is relegated to the agencies/departments. No repository existed which
housed a listing of all County consultants/contractors which could be utilized to track and monitor
the process by an independent party.
OBJECTIVES AND RESULTS
Business Objectives Study Assessment
Controls Over the Procurement of Consultants/Contractors Satisfactory
Tracking of Service Delivery Satisfactory
Updated Certificates of Insurance for Vendors – DCCS & DPMM Needs Improvement
Additional Insurer in Insurance Certificate – DCCS & DPMM Needs Improvement
Control Summary
Good Controls Weak Controls
Agencies/departments work directly
with DPMM to procure the vendors and
services. As subject matter experts in
the area of procurement, DPMM
provides competent guidance.
The respective agencies/departments
verify agreed upon service deliveries
based on contracted criteria.
Maintenance of Updated Certificates
of Insurance for vendors. – DCCS &
DPMM
Fairfax County, its elected and
appointed officials, officers, boards,
commissions, commissioners, agents,
and employees included as additional
insured parties in insurance
certificates. – DCCS & DPMM
OBSERVATIONS AND ACTION PLAN
The following table(s) detail observation(s) and recommendation(s) from this study along with
management’s action plan(s) to address these issue(s).
16 | P a g e
Fairfax County
Office of Financial and Program Audit
Updated Vendor Certificates of Insurance – DPMM
Risk Ranking LOW
When an institution contracts with a vendor for materials, equipment, supplies, or services, that vendor’s
activities and the goods provided create an inherent liability risk to the institution. By obtaining an
appropriate certificate of insurance and maintaining it on file, the institution has evidence that insurance
has been obtained which transfers risks associated with the business relationship with the vendor from the
institution to the insurer.
Substantive testing of OEM & DCCS contracts revealed 3 out of 8 (or 38%) of the Certificates of
Insurance existed but the policies had expired (Lee Hartman and Sons Inc., Trinity Video Communications,
and ManTech International Corporation). Additionally, certificates of insurance for one vendor (Digital
Video Inc.) was not maintained. As per our interview with Risk Management, updated copies of these
documents should be maintained by the County. We were also informed that it is the responsibility of the
agencies that have contracting authority to ensure that these documents remain current in the respective
files. Further to this issue, we were also informed by Risk Management that language should be included
in the contracts to inform vendors of their responsibility to forward updated Certificates of Insurance to
the County if and when they expire. Efforts should be made to address this issue holistically and as
mentioned above, a mechanism should be developed to monitor and update these documents in the files
as needed.
Recommendation
OFPA recommends that DPMM work with vendors to obtain updated Certificates of Insurance documents
and include them in contract files. Processes should be developed to ensure that these files remain
updated.
We also recommend that consideration is given to including in the contract templates, language informing
vendors of their responsibility to forward updated Certificates of Insurance to the County if and when
they expire.
Action Plan
Point of Contact Target Implementation Date Email Address
Cathy Muse
31st August 2017
17 | P a g e
MANAGEMENT RESPONSE:
Management concurs with the observation and recommendation. Staff is currently in the process of
obtaining current certificates of liability insurance which are not in the files. We are also in the process
of drafting language regarding certificate updates for inclusion in the contracts as they renew.
18 | P a g e
Fairfax County
Office of Financial and Program Audit
Updated Vendor Certificates of Insurance – DCCS
Risk Ranking LOW
When an institution contracts with a vendor for materials, equipment, supplies, or services, that vendor’s
activities and the goods provided create an inherent liability risk to the institution. By obtaining an
appropriate certificate of insurance and maintaining it on file, the institution has evidence that insurance
has been obtained which transfers risks associated with the business relationship with the vendor from the
institution to the insurer.
A sample of DCCS contract files revealed that an updated Certificate of Insurance was not on file at the
department. As per our interview with Risk Management, updated copies of these documents should be
maintained by the County. We were also informed that it is the responsibility of the agencies to ensure
that these documents remain current in the respective files. Further to this issue, we were also informed
by Risk Management that language should be included in the contracts to inform vendors of their
responsibility to forward updated Certificates of Insurance to the County if and when they expire.
Triggered by this review, an updated certificate has been obtained for the vendor identified in OFPA’s
sample. Efforts should be made to address this issue holistically and as mentioned above, a mechanism
should be developed to monitor and update these documents in the files as needed.
Recommendation
OFPA recommends that DCCS work with vendors to obtain updated Certificates of Insurance documents
and include them in contract files. Processes should be developed to ensure that these file remain
updated.
Action Plan
Point of Contact Target Implementation Date Email Address
Michael S. Liberman
Rebecca L. Makely
(Implemented)
15th February 2017
MANAGEMENT RESPONSE:
DCCS maintains the Certificates of Liability Insurance on file and has instituted a procedure with timed
reminders to ensure that each cable operator submits a new certificate when the current one expires, and
to review each certificate for compliance.
19 | P a g e
Fairfax County
Office of Financial and Program Audit
Insured Entities Recorded on the Certificate - DCCS
Risk Ranking LOW
All commercial general liability insurance policies shall name the County, its elected and appointed
officials, officers, boards, commissions, commissioners, agents, and employees as additional insured
parties.
The County, it’s elected and appointed officials, officers, boards, commissions, commissioners, agents, and
employees were not included on the Comcast Certificate of Liability Insurance; as additional insured
parties. In the event of a lawsuit whereby the vendor was negligent, including the County on the
certificate should facilitate the process of recovery. Further to the benefits of this process, the
responsibility of both legal and financial coverage (for the County) from the Insurance Company will be
documented.
Recommendation
OFPA recommends that DCCS work with the Insurer to include the County, its elected and appointed
officials, officers, boards, commissions, commissioners, agents, and employees as additional insured
parties.
Action Plan
Point of Contact Target Implementation Date Email Address
Michael S. Liberman
Rebecca L. Makely
(Implemented)
16th February 2017
MANAGEMENT RESPONSE:
DCCS obtained the updated Certificate of Liability Insurance from Comcast Corporation which includes the
County of Fairfax as an Additional Insurer.
20 | P a g e
Fairfax County
Office of Financial and Program Audit
Insured Entities Recorded on the Certificate - DPMM
Risk Ranking LOW
All commercial general liability insurance policies shall name the County, its elected and appointed
officials, officers, boards, commissions, commissioners, agents, and employees as additional insured
parties.
The Certificates of Liability Insurance (Leap Frog Solutions, Inc. and ManTech International Corporation) did
not detail the County, its elected and appointed officials, officers, boards, commissions, commissioners,
agents, and employees as additional insured parties. In the event of a lawsuit whereby the vendor was
negligent, including the County on the certificate should facilitate the process of recovery. Further to the
benefits of this process, the responsibility of both legal and financial coverage (for the County) from the
Insurance Company will be documented.
Recommendation
OFPA recommends that DPMM work with the Insurer to include the County, its elected and appointed
officials, officers, boards, commissions, commissioners, agents, and employees as additional insured
parties.
Action Plan
Point of Contact Target Implementation Date Email Address
Cathy Muse
31st August 2017
MANAGEMENT RESPONSE:
Management is in the process of liaising with vendors to have contracts updated with the County as an
additional insurer. This update is not applicable for all of the County’s contracts; to that end, the updates
will be made where appropriate.
21 | P a g e
STAFF INITIATED TRAINING REVIEW
OBSERVATIONS AND ACTION PLAN
BACKGROUND
At the request of the Audit Committee (AC), the Staff Initiated Training study was added to the
March 2017 work plan. The purpose of this review was to determine, on a sample basis, if
training initiated by employees and paid for by the County was aligned with their Position
Descriptions (PD) and/or job functions. To facilitate this review, OFPA reviewed a sample of
trainings procured outside of the County. For the purpose of this review training included;
seminars, conferences, meetings, and certifications. The results of this study may not highlight
all of the risks/exposures, process gaps, revenue enhancements and/or expense reductions
which could exist in the area. Items reported are those which could be assessed within the
scheduled timeframe and scope.
SCOPE AND METHODOLOGY
The scope of this study included, but not limited to the assessment of controls employed to
manage staff initiated training. To facilitate this study, OFPA performed substantive testing on a
sample of the training expenses. Testing the overall practices related to the approval and
monitoring of staff initiated training was relegated to compliance with control best practices (as
deemed by OFPA), as no current County policy for training exists. To that end, we obtained
disbursement registers for FY 2015 and FY 2016 from the Department of Finance (DOF). These
files were data mined to extract training related expenditures agency wide. OFPA selected a
total sample of 100; 50 General Ledger (GL) expenditures and 50 Procurement Card (P-Card)
expenditures. The periods of review of this study were FY 2015 and FY 2016. The test samples
were chosen utilizing a random selection and judgment. These samples were then reviewed to
assess if training expensed to the County was deemed appropriate for the staff’s job
description. Supporting documentation for these samples were obtained from FOCUS and the
related agencies/departments. This information was utilized to assess the appropriateness of
the trainings and approvals.
While reviewing the training supporting documentation, OFPA assessed if the training was local
or non-local. The local and non-local trainings include other expenses such as; airfare, lodging,
meals, mileage and etc. These were reviewed to assess compliance with the guidelines and
standards in Procedural Memorandum No. 06-03 (Fairfax County’s Travel Policies and
Procedures). OFPA also reviewed the accounting for these expenses by the
agencies/departments.
22 | P a g e
OBJECTIVES AND RESULTS
Business Objectives Study Assessment
Staff Initiated Training Properly Approved Satisfactory
Supporting Documentation for Staff Initiated Training Satisfactory
Approved County Staff Initiated Training Policy - DHR Unsatisfactory
Training Aligned with Employee’s Position Description - DFS Needs Improvement
Approval of Reimbursable Expenses – Circuit Court Needs Improvement
Control Summary
Good Controls Weak Controls
Training approved by appropriate
parties.
Supporting documentation for staff
initiated training retained by agencies/
departments.
Lack of an approved training policy which
details uniform guidelines and/or
standards. - DHR
Assessment of available training from the
County prior to the approval of staff
initiated external training. - DFS
Proper use of the DOF guidance on the
use of approval for travel not in
compliance. – Circuit Court
OBSERVATION(S) AND ACTION PLAN(S)
The following table(s) detail observation(s) and recommendation(s) from this study along with
management’s action plan(s) to address these issue(s).
23 | P a g e
Fairfax County
Office of Financial and Program Audit
County-Wide Training Policy
Risk Ranking LOW
As per information provided by Office of Development and Training (OD&T), no policy documents exist which
details guidance for external training taken by County staff. Testing the overall practices related to the approval
and monitoring of staff initiated training was regulated to compliance with best practices as deemed by OFPA.
A policy of this type could be utilized to address concerns related to staff’s request and management’s approval
of non-traditional courses. The sample testing revealed several instances whereby training attended by
employees did not align with their job descriptions. To further our review, OFPA liaised with OD&T to determine
if similar courses are offered by the County. We were able to identify several courses in EmployeeU that related
to these trainings that were attended by staff.
Recommendation
OFPA recommends that consideration be given to developing and implementing a Training Policy which would
provide standards and guidelines to be utilized by all County agencies/departments. This policy would assist
management in minimizing the procurement of non-essential and non-appropriate staff initiated training which
is expensed to the County.
Action Plan
Point of Contact Target Implementation Date Email Address
Cathy Spage
Robin Baker
1st July 2017
MANAGEMENT RESPONSE:
To date, the County has not had a policy for training as it has primarily been a decentralized activity
dependent upon the individual agencies understanding their business requirements. In recent years, the
County has moved toward providing more robust training programs through the Department of Human
Resources (DHR) Organizational Development and Training (OD&T) Division. For the most part, agencies
have had little flexibility to do specialized training given budget constraints, and large undertakings have
required approval from other County leadership and the Department of Management and Budget.
In response to the recommendation (above) we have drafted a new policy that is general but essentially
directs agency staff to consult OD&T on new training initiatives. DHR has created many close connections
with our partners in the agency, which we utilize to ensure consistency and standards. Therefore, our intent
24 | P a g e
is to review the policy with the executive staff and once approved utilize our existing communication
channels to share the new policy. This includes adding it to the OD&T website; distributing it in the HR
Managers meeting; discussing it in the OD&T Community of Practices; and distributing it to all Training
Administrators and Coordinators.
Any questions can be directed to Robin Baker, Division Chief for OD&T or Cathy Spage, HR Director.
25 | P a g e
Fairfax County
Office of Financial and Program Audit
Training Aligned with Employee’s Position Description - DFS
Risk Ranking LOW
In performing the sample testing of DFS’s staff initiated training expenses and approvals, we identified training
for staff provided by a vendor (Starr Commonwealth) on healing racism. The total cost for this training was ~
$23,576 which was attended by 5 DFS employees. We found 4 charges to this vendor within the last 5 years
totaling ~$48,575. Included in those charges was ~$24,999 related to three onsite trainings sessions for 222 DFS
employees. From a sample review of DFS employees that attended the training sessions, it was not definitively
clear that this training was a requirement for occupying their positions. As per DFS, there is no written policy on
mandatory training of this type for the agency. DFS did communicate that they have written guidance on how
division managers and supervisors initiate training. Working with OD&T, we identified several courses of this
type that were available in the EmployeeU catalog.
No exceptions were noted whereby the staff initiated training selected was not aligned with the employees
PD.
Recommendation
We recommend DFS management develop a memorandum providing guidance on the process of reviewing
EmployeeU’s course catalog. This process would assist management in identifying training on topics of interest
before procuring training from an outside vendor. The memorandum should be circulated throughout the
agency to complement the existing efforts.
Action Plan
Point of Contact Target Implementation Date Email Address
Dana Thompson
1st May 2017
MANAGEMENT RESPONSE:
The “4 charges” identified by the audit “to the vendor within the last 5 years totaling $48,575” included charges
of $24,999 for three on-site (Fairfax County) training sessions for 222 DFS employees and $23,576 for a Train the
Trainer training attended by five DFS employees. The cost for the Train the Trainer was considered a financially
sound expenditure as it allowed DFS staff to continue providing this training as certified trainers themselves
precluding the need to pay vendors to provide the training. (Of note, the two aforementioned training charges
occurred prior to the FY 2015 and FY 2016 audit scope time frame.) As a result of the certified, in-house, DFS
trainers, no charges were incurred from FY 2014 onward and to date, 1400 employees have received the
26 | P a g e
training to include staff from DFS, Community Services Board (CSB), Neighborhood Community Services (NCS),
Juvenile and Domestic Relations District Court (JDRDC), at no additional cost.
The Department welcomes the opportunity to develop a memorandum providing guidance on the process to
review Employee U’s Catalog which will be circulated throughout the agency by May 1, 2017. It should be noted
that there were no comparable in-person, instructor led diversity training in existence during the period when
this training was initiated in 2011/2012, nor does any such training currently exist. In fact, a review of the
current OD&T Course Catalog: Course Descriptions 2016 and posted EmployeeU offerings only reflect on-line
courses ranging from 0.3 to 1.25 hours in length. The Department will further consult with OD&T to confirm or
clarify their diversity course offerings and availability.
27 | P a g e
Fairfax County
Office of Financial and Program Audit
Approval of Reimbursable Expenses
Risk Ranking LOW
Included in this study, OFPA also reviewed training related expenses such as lodging, airfare, mileage,
taxi/shuttle, and meals. Sample substantive testing of staff initiated training revealed lodging fees expensed by
an employee which exceeded the Federal Per Diem Rate. Additionally, no authorization form was attached for
this expense as required by the Fairfax County’s Travel Policy (Procedural Memorandum No. 06-03). The
department asserted their understanding as, written authorization was only required if the expenditure
exceeded 150% of the Federal Per Diem Rate. Point of fact is, for any expense which exceeds the Federal Per
Diem Rate, an authorization form is required. In this instance the County incurred lodging charges of $676 of
which $192 more than the allowable rate was expensed.
Recommendation
As the error was due to a misinterpretation of Fairfax County’s Travel Policy, we recommend that a Fairfax
County’s Travel Policy clarifying memorandum (for reimbursable expenses) is circulated to staff.
Action Plan
Point of Contact Target Implementation Date Email Address
Gerarda Culipher
(Implemented)
23rd January 2017
MANAGEMENT RESPONSE:
G8080: Thank you for this important review, and for helping identify best practices for travel authorization
processes. While our agency had understood the County’s Travel Policy on General Services Administration
(GSA) daily lodging caps to be satisfied by the County’s own “Travel Authorization Form,” we are glad to begin
sending an additional letter any time this fact-pattern presents.
28 | P a g e
TIME AND ATTENDANCE REVIEW
OBSERVATIONS AND ACTION PLAN
BACKGROUND
At the request of the Audit Committee (AC), the Time and Attendance study was added to the
March 2017 work plan. The purpose of this review was to determine on a sample basis if, staff
leave is being captured in FOCUS (HCM). Non-work hours taken during the scheduled work day
should be recorded as Annual Leave, Sick Leave, Compensation Leave if applicable, and etc.
Additionally, OFPA reviewed the controls in place to manage and approve the leave time with
agencies and their effectiveness based on the assessment. The results of this study may not
highlight all of the risks/exposures, process gaps, revenue enhancements and/or expense
reductions which could exist in the area. Items reported are those which could be assessed
within the scheduled timeframe and scope.
SCOPE AND METHODOLOGY
The scope of this study included, but not limited to assessing FOCUS (HCM) Time and
Attendance; segregation of duties, compliance with policies and procedures, supervisory
approvals, overtime and other paid leave, e.g.; compensatory, administrative, and etc. OFPA
also reviewed supporting documentation for employees’ time, this included reconciling a
sample of employees’ payroll time to data entry into FOCUS (HCM). OFPA utilized several
County personnel policies as standards by which the testing was performed.
Source data utilized to perform the testing included employees’; time records, work schedules,
and authorized approvers. With the assistance of DHR staff, Point & Click Enterprise Ad-Hoc
Query System (PEAQ) system and FOCUS (HCM) data were utilized as support for the time
reporting analysis. Election and state employees’ data was excluded from the review. Data from
the seven agencies selected was data mined for Positive Time Reporting employees only.
Positive time reporting is a process whereby an employee must record all absences and hours
worked. The process differs from Negative Time Reporting whereby the employee is only
required to report leave. Employees utilizing the Negative Time Reporting method were
excluded from this review as risks associated with this process were deemed diminished by
comparison. Sampling for this study was performed utilizing Microsoft Excel’s Random Number
Generator with some judgement. This process was designed to gain some assurance that the
sampling process was unbiased. For each employee in the sample a random month/year was
selected for testing. A list of all employees with HCM Time Approver Roles were matched
against approvals in FOCUS. Our testing also included an assessment of the appropriateness of
time categories. The periods of review were January 2015 thru December 2016.
29 | P a g e
OBJECTIVES AND RESULTS
Business Objectives Study Assessment
Record Retention and Archiving Satisfactory
Updated Authorized Time Approvers Lists Satisfactory
Timekeeping Controls – FCPA Needs Improvement
Control Summary
Good Controls Weak Controls
Payroll records properly archived and
retained in accordance with Record
Retention Policy based on sample
selected.
Only authorized approvers were
identified in the sample selected.
Additionally, the authorized approver list
was complete and accurate based on a
validation process with staff.
Process of approval and data entry for
staff’s time was not adequately
segregated. – FCPA
OBSERVATION(S) AND ACTION PLAN(S)
The following table(s) detail observation(s) and recommendation(s) from this study along with
management’s action plan(s) to address these issue(s).
30 | P a g e
Fairfax County
Office of Financial and Program Audit
Timekeeping Controls
Risk Ranking LOW
OFPA’s review of controls re: the practices of recording time and attendance for County employees reflected
some instances whereby the data entry practices could be enhanced. The related substantive testing of the
Fairfax County Park Authority’s (FCPA) timekeeping records revealed instances whereby management initiated
and approved employee’s time in FOCUS (HCM). OFPA liaised with FCPA to assess this process. FCPA concurred
with the preliminary assessment of a control risk. As per management, there has been efforts to make
improvements to this process. As part of this review, the visibility of the control risk was highlighted.
Management also asserted that the results of this review will assist in expediting the implementation of
enhancements. There were four occurrences of this event by management. While no policy exists in the County
whereby this practice is prohibited, it does degrade the inherent control structure related to segregation of
duties.
Recommendation
Efforts should be made to have separate individuals enter and approve employees’ time. In the event this
process cannot be implemented due to some operational constraints, mitigating controls should be performed
(e.g.; whereby time entered into FOCUS is reconciled each pay period to the source documentation).
Evidence of review and approval should be documented, approved and maintained as evidence of compliance
with this effort.
Action Plan
Point of Contact Target Implementation Date Email Address
Diane Roteman
Janet Burns
31st August 2017
MANAGEMENT RESPONSE:
Management has issued memorandums in the past requesting that staff comply with the initiative of entering
and approving time worked. FCPA also has over 20 FOCUS Timekeepers that are able to enter employee’s time;
this list has been circulated to FCPA supervisors and managers as a resource. Given the continued infractions,
FCPA will recirculate this directive. If feasible at the existing staff levels, consideration will be made to perform
quarterly reconciliations of source documentation and data entry on a sample basis. Additionally, this issue was
discussed with the FCPA leadership team so that they may monitor and reinforce the need for separation of
duties.
31 | P a g e
Fairfax County
Office of Financial and Program Audit
APPENDICES
APPENDIX A
UNIFORMED RETIREMENT SYSTEM
Acadian Asset Management, Boston, MA
Anchorage Capital Group, New York, NY
AQR Capital Management, Greenwich, CT
Ashmore Investment Management, London, UK
BlueCrest Capital Management, London, UK
BNY Mellon Cash Investment Strategies, Pittsburgh, PA
Brandywine Global Investment Management, Philadelphia, PA
Bridgewater Associates, Westport, CT
Cohen & Steers Capital Management, New York, NY
Criterion Capital Management, San Francisco, CA
Czech Asset Management, L.L.P., Old Greenwich, CT
Davidson Kempner Institutional Partners, LP, New York, NY
DoubleLine Capital, Los Angeles, CA
Garcia Hamilton & Associates, Houston, TX
Gresham Investment Management, LLC, New York, NY
Harbourvest Partmers, LLC. Boston, MA
JP Morgan Investment Management, New York, NY
King Street Capital Management, LLC, New York, NY
Manulife Asset Management, Boston, MA
Marathon Asset Management, London, UK
Millennium Management, LLC, New York, NY
OrbiMED Healthcare Fund Management, New York, NY
Pantheon Ventures, Inc., San Francisco, CA
Parametric Portfolio Advisors, Edina, MN
PIMCO, Newport Beach, CA
Siguler Guff & Co. LP, New York, NY
Starboard Value and Opportunity, LTD., New York, NY
Systematica Investments Limited, Geneva, Switzerland
UBS Realty Investors, LLC., Hartford, CT
Wellington Management Co., LLP, Boston, MA
32 | P a g e
Fairfax County
Office of Financial and Program Audit
APPENDIX B
EMPLOYEES' RETIREMENT SYSTEM
Aberdeen Asset Management Inc., Philadelphia, PA
AQR Capital Management, Greenwich, CT
Axiom Investors, Greenwich, CT
BlackRock Inc., San Francisco, CA
BNY Mellon Cash Investment Strategies, Pittsburgh, PA
Brandywine Global Investment Management, Philadelphia, PA
Bridgewater Associates, Westport, CT
Cohen & Steers Capital Management, New York, NY
Columbia Wanger Asset Management, Chicago, IL
Czech Asset Management, L.P., Old Greenwich, CT
DePrince, Race & Zollo, Winterpark, FL
DoubleLine Capital, L.P., Los Angeles, CA
Dyal Capital Partners, New York, NY
Eagle Trading Systems, Inc., Princeton, NJ
Emerging Sovereign Group, LLC, New York, NY
First Eagle Investment Management, New York, NY
Hoisington Investment Management Co., Austin, TX
JP Morgan Investment Management, New York, NY
Lazard Asset Management, LLC., New York, NY
LSV Asset Management, Chicago, IL
Marathon Asset Management, London, UK
Marathon Asset Management, New York, NY
Millennium Management, LLC, New York, NY
Nicholas Company, Milwaukee, WI
Parametric Portfolio Advisors, Edina, MN
PIMCO, Newport Beach, CA
Post Advisory Group, Los Angeles, CA
QMS Capital Management, LP, Durham, NC
Quantative Management Associates, Newark, NJ
Pzena Investment Management, New York, NY
Research Affiliates, LLC, Newport Beach, CA
Sands Capital Management, Arlington, VA
Shenkman Capital Management, New York, NY
Stark Investments, St. Francis, WI
WCM Asset Management, Laguna Beach, CA
33 | P a g e
Fairfax County
Office of Financial and Program Audit
APPENDIX C
POLICE OFFICERS RETIREMENT SYSTEM
Acadian Asset Management, Boston, MA
AQR Capital Management, Greenwich, CT
BlackRock, San Francisco, CA
BlueCrest Capital Management, London, UK
BNY Mellon Cash Investment Strategies, Pittsburgh, PA
Bridgewater Associates, Westport, CT
Cohen & Steers Capital Management, New York, NY
Czech Asset Management, Old Greenwich, CT
DoubleLine Capital, Los Angeles, CA
Dyal Capital Partners, New York, NY
Emerging Sovereign Group, LLC, New York, NY
First Eagle Investment Management, New York, NY
King Street Capital Management, LLC, New York, NY
Loomis Sayles & Co, Boston, MA
Oaktree Capital Management, Los Angeles, CA
Parametric Portfolio Advisors, Edina, MN
PIMCO, Newport Beach, CA
Sands Capital Management, Inc., Arlington, VA
Solus Alternative Asset Management, L, New York, NY
Starboard Value and Opportunity, LTD., New York, NY
Systematica Investments Limited, Geneva, Switzerland
WCM Asset Management, Laguna Beach, CA
34 | P a g e
LIST OF ACRONYMS AC Audit Committee
BOS Board of Supervisors
CAFR Comprehensive Annual Financial Report
CSB Community Services Board
DCCS Department of Cable and Consumer Services
DFS Department of Family Services
DHR Department of Human Resources
DOF Department of Finance
DOT Department of Transportation
DPMM Department of Procurement and Material Management
EY End of Year
FBSG FOCUS Business Support Group
FCPA Fairfax County Park Authority
FY Fiscal Year
GAAP Generally Accepted Accounting Principles
G/L General Ledger
GSA General Services Administration
HCM Human Capital Management
JDRDC Juvenile and Domestic Relations District Court
NAV Net Asset Value
NCS Neighborhood Community Services
OD&T Office of Development and Training
OEM Office of Emergency Management
OFPA Office of Financial and Program Audit
P-Card Procurement Card
PD Position Description
PEAQ Point & Click Enterprise Ad-Hoc Query System
PM Procedural Memorandum
RAA Retirement Administration Agency
RFP Request for Proposal
VMF Vendor Master File
VRS Virginia Retirement System
35 | P a g e
36 | P a g e